Meta sued for alleged secret tracking of iPhone users • The Register

Meta was sued Wednesday for allegedly tracking and collecting undisclosed data in its Facebook and Instagram apps on Apple iPhones.

The cause [PDF]filed with a United States federal district court in San Francisco, states that the two applications incorporate the use of their own browser known as WKWebView which inserts JavaScript code to collect data that would otherwise not be available if apps opened links in the designated default standalone browser by iPhone users.

The claim is based on findings from security researcher Felix Krause, who last month published an analysis of how WKWebView browsers embedded in native applications can be misused to track people and violate privacy expectations.

“When users click on a link within the Facebook app, Meta automatically directs them to the in-app browser it is tracking instead of the smartphone’s default browser, without telling users that this is happening or that they are being tracked” , the complaint states.

“User meta information intercepts, monitors and records personally identifiable information, private health details, text entries and other confidential and sensitive facts.”

Compared to Krause’s findings last month, Meta insisted that code injection was done to respect its users’ privacy choices (aside from their choice of default browser).

“We intentionally developed this code to honor people’s App Tracking Transparency (ATT) choices on our platforms,” ​​a spokesperson for Meta said. The register last month. “The code allows us to aggregate data before it is used for targeted advertising or measurement purposes.”

Meta communications director Andy Stone offered a similar statement via Twitter.

The complaint, which aims to certify a class action, claims that Meta’s secret tracking violates the federal wiretapping statute, the California Invasion of Privacy Act, and state competition law, based on the presumption that data obtained by Meta have enabled it to increase its profits and to gain an advantage over its competitors.

“Meta’s injection of JavaScript coincides with recent privacy updates for iPhones and other iOS devices,” the complaint says, indicating the introduction in 2021 of iOS 14.5 and its App Tracking Transparency (ATT) framework for denial of data.

Nonsense and nonsense?

The legal bailout makes it very important how Meta (then known as Facebook) conducted a public relations campaign in an unsuccessful effort to cancel ATT on the grounds that it would harm small businesses that rely on social data-driven ads. ad biz.

Meta claims it is following Apple’s ATT rules and Krause does not dispute it.

However, Meta’s use of in-app browsers in its mobile apps predates Apple’s ATT initiative. Apple unveiled WKWebView at the 2014 Worldwide Developer Conference to replace the previous UIWebView (UIKit) and WebView (AppKit) frameworks. It was in iOS 8. With the arrival of iOS 9, as described at WWDC 2015, there was another option, SFSafariViewController. Currently this is what is recommended for viewing a website within an app.

And the company’s use of in-app browsers has already sparked concern.

“In addition to limited functionality, WebViews can also be used to effectively conduct man-in-the-middle attacks, since IAB [in-app browser] the developer can arbitrarily inject JavaScript code and even intercept network traffic, ”wrote Thomas Steiner, a developer relations engineer at Google, in a blog post three years ago.

In his post, Steiner points out that he saw nothing unusual like a “phone at home” feature.

Krause took a similar line, noting only the potential for abuse. In a later post, he identified an additional code for data collection.

He wrote: “Instagram iOS subscribes to every tap on any button, link, image or other component on external websites rendered within the Instagram app” and also “subscribes whenever the user selects an element of the user interface (such as a text field) on a third party website rendered within the Instagram app. “

However, “subscriptions” simply means that the analytics data is accessible within the app, without offering any conclusions as to what, if anything, is done with the data. Krause also points out that from 2020 Apple offers a framework called WKContentWorld that isolates the web environment from scripts. Developers using an in-app browser can implement WKContentWorld to make scripts undetectable from the outside, he said.

Whatever Meta is doing internally with its in-app browser, and even given the company’s insistence that its injected script validates the ATT settings, plaintiffs who are suing the company argue that there was no disclosure of the trial. .

“Meta does not disclose the consequences of browsing, browsing and communicating with third party websites from Facebook’s in-app browser, in particular, this overrides the default browser’s privacy settings, which users rely on to block and prevent tracking, “the complaint says. “Likewise, Meta hides the fact that it injects JavaScript that alters external third-party websites so that it can intercept, track and log data that it cannot otherwise access.”

Meta rejects the claims of the cause. “These allegations are baseless and we will defend ourselves vigorously,” a company spokesperson said in an e-mailed statement.

“We have carefully designed our in-app browser to respect users’ privacy choices, including how data can be used for ads.” ®